[Dshield] Question on appropriate university research

Tony Earnshaw tonni at hetnet.nl
Tue Sep 18 13:14:52 GMT 2007

Tom skrev, on 18-09-2007 03:38:

> We were probed by a machine on CMU's network weekly on port 22. We 
> reported this to CMU abuse and received the following response:


> Now, this "SSH scanning" project looks just like a bot net searching 
> for hosts to attack later from my machines viewpoint.
> Don't you think that this is at best ill advised without contacting 
> the IP block owners? Further what they're trying to sample is not 
> what they are sampling but thats another story.
> Your comments and inputs are appreciate because I think this guys PHD 
> Advisor is way out of line to condone this activity.

Personally, I feel that you're overreacting, but then that depends on 
what sort of a scan it was. I'd have no compunction about letting a full 
open port nmap stealth scan run on any machine on the Internet I choose, 
but there's no way I'd ever try abusing any one of those open ports.

Start getting worried when people repeatedly try ssh logins on your port 
22 and really worry when you see dictionary attacks.

If I were paid €0.10 for every attempt I see on my open port 22 
(iptables), I'd be ... But I confine allowed logins to specific source 
IP numbers and identities.


Tony Earnshaw
Email: tonni at hetnet dot nl

More information about the list mailing list